Some of my work has been covered by the media. Because I lack the time to dedicate each occasion a seperate write-up in my blog, I would like to reference it on this page.
FRITZ!Box Firmware Signature Bypass
A flaw in the firmware update routine of the AVM FRITZ!Box allowed for injection of malicious code into firmware images without breaking their RSA signature.
- RedTeam Pentesting RT-SA-2014-010
- Talk “Your Home is My Castle” given at the OSAK/FSMPI/ALUG Cryptoparty on 2015-06-18 (slides available at RedTeam Pentesting)
- Talk given at CCC Aachen on 2015-07-15 (speaker and slides available at FSMPI Video-AG)
FRITZ!Box remote code execution
The details of the remote code execution exploit were discovered by me through bindiffing the patched and unpatched firmware. Thus, an AVM-independent analysis was allowed for and it was proven that the scope of this vulnerability was broader than initially thought.
o2 default WiFi passwords based on MAC address
It was found, that the default WiFi passwords of many o2 routers were based mostly on publicly available information (MAC address). For my analysis I reversed the password derivation algorithm of the o2 Box 6431. It turned out, that the same algorithm was employed by the o2 Box 4421 and o2 Box 1421 as warker had pointed out in his blog.
In the past, I have disclosed several vulnerabilities of embedded systems to their respective manufacturers. As some of them may not be patched yet, I prefer not to go into details here.
Several vulnerabilities in the firmware signature checking procedure of an embedded system effectively allowed the execution of arbitrary code, when fed with a specially crafted, legit-looking firmware image.(see RT-SA-2014-010)
- The configuration backups of an embedded system, containing sensitive information, were encrypted using keys, that could be guessed easily.
- XSRF vulnerability in an embedded system allowed access to its admin interface, if one node of the internal network is compromised.